“Going passwordless” is an all too common phrase, but it’s a fairly vague term that doesn’t really suggest much about the concept other than the obvious – going ‘without’ a password. What does going passwordless really mean, and why is it a necessary step to secure the enterprise?
The Demise of the Password
Passwords have long guarded access to sensitive and important information – a memorised secret that you must have in order to gain permission to enter.
Passwords truly came into their own with the age of computing – everything users access, from emails to their Amazon account is protected behind a password. A barrier to access, passwords in the corporate world protect a range of data, some trivial, some highly sensitive. Businesses are often trusting critical data with simply a password to protect them. Twenty years ago, a password was more than adequate, but now, 80% of hacking-related breaches are leveraging weak and compromised passwords.
So, what’s changed? Why are passwords now such a key and exploitable entry point to corporate and personal data?
The Password Vulnerability
The fall of the password can be attributed to many factors:
Data breaches – every year, companies are having databases hacked and exposed online. These online databases often contain the usernames, emails and passwords for thousands or even millions of customers of the exposed company. An Adobe data breach in 2013 impacted 153 million user records, which saw hackers steal credit card records, as well as expose customer names, IDs, passwords and more.
Password reuse – continuously reusing passwords is a common problem. When users must input passwords for almost every service they use, remembering them all is no mean feat. To save time and effort, many use the same passwords across multiple services. Although this can save time in the immediate, one exposed password can open users up to bad actors gaining access across a number of different platforms if the victim has reused passwords.
Cybercriminals are getting more sophisticated – from the tools to the methods they use, every trick in the book is being brought out to great effect. Bad actors can use malware that is equipped with key logger components meaning that, even if the user is confident they’re working securely, their username and password could be captured.
Phishing and social engineering – cybercriminals are getting more cunning, creating an endless range of methods to trick information out of people. Phishing emails and spoofed websites are tricking users into sharing usernames and passwords. Campaigns targeting specific platforms, such as Microsoft Office, are rolled out on a huge scale.
Social media – users will commonly use a password that is easy to remember. This often takes the form of memorable personal information, such as a pet’s name, primary school or favourite football team. However, people are also inclined to often share such information via social media, making them easy pickings.
Whilst bad actors may target employees en-mass, targeted attacks can reap rewards. Despite an expected heightened awareness of the importance of security for high-level employees, data suggests otherwise. 34% of director-level and above staff use a top ten most common password – the likes of ‘qwerty’, ‘abc123’, and ‘Password’. These are corporate employees with extremely high-levels of access privilege who often have access to corporate accounts and highly sensitive data. A bad actor could exploit such a situation with ease.
It’s clear that passwords are a risky tool to place the security of a business in. And with the financial impact of data breaches costing companies an average of $3.86 million and a recent GDPR fine to Marriott Hotels costing $23.77 million, organisations should do everything they can to secure their data.
What About 2FA and MFA?
Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) are security solutions that can make the password more secure. By adding an extra layer or layers of security, they are intended to be a more secure approach to the password.
2FA and MFA can slow a bad actor down, with the use of additional authentication factors, such as an SMS token, hard token, one-time passcode or knowledge-based questions. But hackers are increasingly sophisticated, and many of the problems that apply to passwords are also applicable to 2FA and MFA. Learn about the issues troubling these authentication methods here.
In short, bad actors can easily exploit 2FA and MFA, utilising the likes of phishing, social engineering and call forwarding. Whilst they can add extra layers of security, a dedicated and sophisticated hacker with the right tools at their disposal can bypass these.
In addition, these extra layers of security contribute to a poor user experience. Additional steps slow down employees and make the whole process extremely clunky and disjointed.
However, going passwordless does begin with MFA, and for businesses at the beginning of their digital transformation, the first step of a passwordless authentication strategy is ensuring that MFA is enabled.
“The Password is Dead”
Passwords create challenges for both organisation and user. They are also expensive, with research by Forrester suggesting that a single password reset costs $70 due to the time and resources required per help desk call.
Moving beyond and eliminating the password is the next logical step – removing the cumbersome password that is so often compromised.
Passwordless authentication is such a solution. On a very basic level, passwordless authentication simply means that a user’s identity can be verified, and subsequent access granted or denied, without the use of a password.
Instead, user identity can be confirmed by a user simply inputting their email, and then selecting an option including a one-time passcode, biometric data, security token or more. This approach eliminates the slow procedure of entering a password and negates the need of a help-desk for password resets.
Passwordless approaches don’t just end there however. Adaptive authentication eliminates the need for a password and more without impacting users. True adaptive authentication performs multiple threat/risk checks in the background of a user logging on. These checks can include:
- Device recognition check – has the device been used to login before?
- Geographic location – if the user last accessed corporate information from London three hours ago, then it’s not possible that a new login is currently happening in Russia.
- Malicious IP check – is the IP address the user is connecting from known and trusted?
These are just a small number of the types of checks that adaptive authentication can do in the background. If one of these risk factors is identified, then the risk level is raised and multi-factor authentication is prompted. If there are too many risks identified, then the login request is blocked. As a result, corporate systems are secured, with users having a seamless user experience. Crucially for employees, remembering 30 different passwords for corporate logins becomes a thing of the past.
One area of going passwordless which is often overlooked is what it means for IT. Traditional password-based authentication is often a victim of users reusing and sharing passwords. By removing passwords then the ability to phish, reuse and share them is also removed. Once passwords are removed, IT can reclaim the ability to have true visibility over identity and access management. IT will be able to confirm whether the user logging in to a system is actually who they say they are. As a result, the user is no longer the weak spot when it comes to bad actors and access.
Passwordless authentication continues to innovate and use various technologies to ensure secure and seamless identity verification. For organisations looking to truly secure their data, a passwordless approach removes dependencies on the antiquated password which has so many times been proven to be insecure and weak. Sectors with access to extremely sensitive data, such as the financial industry, should be especially cautious of their approach to passwords.
Is The Future In Biometrics?
The use of biometric data is an ideal way to securely speed up access to information. Unique to individuals, technology can quickly grant access to the right person.
Biometrics is still a sensitive topic for many, with some uncomfortable with companies or businesses having access to personally identifiable biological data. Despite a large number of consumers using biometrics in day-to-day life, such as a fingerprint or facial recognition to log in to their smartphone, public appetite for it is still lacking. Fewer than one in three consumers are comfortable sharing biometric data with companies or the government.
Consumers are willing to share their biometric data to save time:
13% will share to save 30 seconds or less
12% will share to save 5 minutes
10% will share to save 10-30 minutes
Biometrics is often an option for many passwordless solutions, however, users are still granted the ability to choose alternate options.
Biometrics alone can also be argued to be insecure and should typically be used alongside another form of authentication. One of the strongest arguments against the use of solely biometric data is that, unlike a password, biometric data cannot be changed if it is stolen.
Despite the uniqueness of biometrics, the best current solution available to organisations who desire a passwordless solution is adaptive authentication. With a proven track record, it utilises the best available tools to secure the enterprise.
How Can We Help?
Securing the enterprise is a top priority. We can work with you to understand the needs of your organisation and employees, tailoring a solution that solves your authentication problems. Get in touch to find out more about how going passwordless is the next step.
